Windows 2003 High Security Standard
Scope
The guidance in this standard shall be considered the minimum acceptable
requirements for the configuration of Windows High Security 2003 Server. This
standard sets forth expectations across the entire organization. Additional guidance
and control measures may apply to certain areas of Symantec. This standard shall
not be construed to limit application of more stringent requirements where justified by
business needs or assessed risks.
Windows High Security 2003 Server Standard
Corporate’s business functions rely upon the integrity, confidentiality, and availability
of its computer systems and the information assets stored within them.
Responsibilities and procedures for the management, operation and security of all
information processing facilities must be established. This Policy supports the stated
objectives.
It is the policy of corporate to create a minimum recommended standard for the
configuration of High Security Windows 2003 severs that are owned and/or operated
by Symantec, its employees, contractors, and associated entities. The goal of this
Standard is to provide the best possible security while preserving the functionality
necessary to perform critical business functions within the requirements of a
business environment. In some instances, the settings listed in this document may
be impractical or require extensive redesign in order to meet the operational and/or
functional requirements of a particular system or piece of software. Redesign efforts
are outside the scope of this document, and should be treated as exclusions to the
standard.
Roles & Responsibilities
Every person who manages a Symantec Windows 2003 severs,or is envolved with
the server configuration process on Corporate’s networks and/or external servers
containing Symantec information using the Windows 2003 operating system must
comply with this standard before placing it on a Symantec production network.
The IT Custodian is responsible for defining and implementing security measures
and controls to ensure the system(s)/application(s) are managed and operated in a
secure and effective manner.
The Windows OS Engineering Department has the responsibility to ensure that all
Symantec servers meet these minimum baseline standards of the operating system
during the build phase of the server before the sever is attached to any production
network. They are also responsible for implementing security measures and controls
to ensure compliance against Information Security policies and in order to meet the
legal, statutory, regulatory and contractual obligations of the Company.
Differences between Windows 2003 server standards and Windows High Security
server standards are highlighted.
Requirements and Implementations



Service Packs and Hotfixes
o Major service pack and
 Current service pack installed.
o Minor service pack and the Hotfix requirements
 Hotfixes recognized by HFNetChk
Auditing and Account Policies
o Major Auditing and Account Policies Requirements
 Minimum password length 12 characters long.
 Maximum password age 90 days old.
o Minor Auditing and Account Policies Requirements
 Audit Policy (minimums)
 Audit Account Logon Events: Success and Failure
 Audit Account Management: Success and Failure
 Audit Directory Service Access: <Not Defined>
 Audit Logon Events: Success and Failure
 Audit Object Access: Success and Failure
 Audit Policy Change: Success (minimum)
 Audit Privilege Use: <Not Defined>
 Audit Process Tracking: <Not Defined>
 Audit System Events: Success (minimum)
 Account Policy
 Minimum Password Age: 1 day
 Maximum Password Age: 90 days
 Minimum Password Length:12 characters (as per major
requirements)
 Password Complexity: Enabled
 Password History: 6 Passwords Remembered
 Store Passwords using Reversible Encryption: Disabled
 Account Lockout Policy
 Account Lockout Duration: 60 Minutes
 Account Lockout Threshold: 3 Bad Login Attempts
 Reset Account Lockout After: 30 Minutes
 Event Log Settings – Application, Security, and System Logs
 Application Log
o Maximum Event Log Size: 16 Mb (minimum)
o Restrict Guest Access to Logs: Enabled
o Log Retention Method: <Not Defined>
o Log Retention: <Not Defined>
 Security Log
o Maximum Event Log Size: 80 Mb (minimum)
o Restrict Guest Access to Logs: Enabled
o Log Retention Method: <Not Defined>
o Log Retention: <Not Defined>
 System Log
o Maximum Event Log Size: 16 Mb (minimum)
o Restrict Guest Access to Logs: Enabled
o Log Retention Method: <Not Defined>
o Log Retention: <Not Defined>
Security Settings
o Major Security Settings
 Network access: allow Anonymous SID/Name Translation Disabled

o
Network access: do not allow Anonymous Enumeration of SAM
accounts Enabled
 Network access: do not allow Anonymous Enumeration of SAM
accounts and Shares Enabled
Minor Security Settings
 Security Options
 Accounts: Administrator Account Status <Not Defined>
 Accounts: Guest Account Status Disabled
 Accounts: Limit local account use of blank passwords to
console logon Enabled
 Accounts: Rename Administrator Account <non-standard>
 Accounts: Rename Guest Account <non-standard>
 Audit: Audit the access of global system objects: <Not
Defined>
 Audit: Audit the use of backup and restore privilege <Not
Defined>
 Audit: Shut Down system immediately if unable to logn security
alerts
 <Not Defined>
 DCOM: Machine Access Restrictions in Security Descriptor
Definition Language Enabled
 DCOM: Machine Launch Restrictions in Security Descriptor
Definition Language <Not Defined>
 Devicies: Allow undock without having to log on <Not
Defined>
 Devicies: Allowed to format and eject removable media
Administrators
 Devicies: Prevent users from installing printer drivers Enabled
 Devicies: Restrict CD-ROM access to the Locally Logged-On
User only
 <Not Defined>
 Devicies: Restrict Floppy access to the Locally Logged-On
User only
 <Not Defined>
 Devicies: Unassigned Driver Installation Behavior Warn, but
allow
 Domain Controller: Allow Server Operators to Schedule Tasks:
 <Not Applicable>
 Domain Controller: LDAP server signing requirements <Not
Applicable>
 Domain Controller: Refuse machine account password
changes
 <Not Applicable>
 Domain member: Digitally Encrypt or Sign Secure Channel
Data (Always) <Not Defined>
 Domain member: Digitally Encrypt Secure Channel Data
(When Possible) Enabled
 Domain member: Digitally Sign Secure Channel Data (When
Possible) Enabled
 Domain member: Disable Machine Account Password
Changes Disabled
 Domain member: Maximum Machine Account Password Age
30 days
 Domain member: Require Strong (windows 2000or later)
Session Key Enabled
































Interactive Logon: Do Not Display Last User Name Enabled
Interactive Logon: Do Not require CTRL+ALT+DEL Disabled
Interactive Logon: Message Text for Users Attempting to Log
On
<Custom, or DoJ Approved>
Interactive Logon: Message Title for Users Attempting to Log
On
<Custom, or DoJ Approved>
Interactive Logon: Number of Previous Logons to Cache <Not
Defined>
Interactive Logon: Prompt User to Change Password Before
Expiration
14 days
Interactive Logon: Require Domain Controller authentication to
unlock WorkStation Enabled
Interactive Logon: Require Smart Card <not Defined>
Interactive Logon: Smart Card Removal Behavior Lock
Workstation
Microsoft Network Client: Digitally sign communications
(always)
Enabled
Microsoft Network Client: Digitally sign communications (is
server agrees)
Enabled
Microsoft Network Client: Send Unencrypted Password to
connect to Third Part SMB server Disabled
Microsoft Network Server: Amount of idle Time Required
Before Disconnecting Session 15 Minutes
Microsoft Network Server: Digitally sign communications
(always)
<Not Defined>
Microsoft Network Server: Digitally sign communications (if
client agrees)
Enabled
Microsoft Network Server: Disconnect clients when logon
hours expire Enabled
Network Access: Do not allow storage of credentials or .NET
passports for network authentication Enabled
Network Access: Let Everyone permissions apply to
anonymous users Disabled
Network Access: Named pipes that can be accessed
anonymously <none>
Network Access: Remotely accessible registry paths
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\WindowsNT\CurrentVersion
Network Access: Remotely accessible registry paths and
subpaths Software\Microsoft\Windows
NT\CurrentVersion\Print Software\Microsoft\Windows
NT\CurrentVersion\Windows System
\CurrentControlSet\Control\ Print\Printers
System\CurrentControlSet
\Services\Eventlog Software\Micorsoft\OLAP Server
System\



























CurrentControlSet\Control\ContentIndex
System\CurrentControlSet
\Control\Terminal Server
System\CurrentControlSet\Control\
Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
Network Access: Restrict anonymous access to Named Pipes
and Shares Enabled
Network Access: Shares that can be accessed anonymously
<None>
Network Access: Sharing and security model for local accounts
Classic
Network Security: Do not store LAN Manager password hash
value on next password change Enabled
Network Security: Force logoff when logon hours expire <Not
Defined>
Network Security: LAN Manager Authentication level Send
NTLMv2, refuse LM and NTLM
Network Security: LDAP client signing requirements
Negotiate Signing or Require Signing
Network Security: Minimum session security for NTLM SSP
Require Message Integrity, Message Confidentiality,
NTLMv2 Session
Security, 128-bit Encryption.
Network Security: Minimum session security for NTLMSSP
based (including secure RPC) Servers Require Message
Integrity, Message Confidentialy, NTLMv2 Session
Security, 128-bit Encryption
Recovery Console: Allow Automatic Administrative Logton
Disabled
Recovery Console: Allow Floppy Copy and Access to all
Drivers and All Folders <Not Defined>
Shutdown: Allow System to be Shut Down Without Having to
Log On Diabled
Shutdown: Clear Virtual Memory Pagefile <Not Defined>
System Cryptography: Force strong key protection for user
keys stored on the computer User must enter a password
each time they use a key
System Cryptography: Use FIPS compliant algorithms for
encryption, hashing and signing <Not Defined>
System objects:Default owner for objects created by members
of the Administrators group Object Creator
System objects: Require case insensitivity for non-windos
subsystems
<Not Defined>
System objects: Strengthen default permissions of internal
system objects Enabled
System settings: Optional subsystems <None>
System settings: Use Certificate Rules on Windows
Executables for Software Restriction Policies <Not Defined>





















MSS: (AFD DynamicBacklogGrowthDelta) number of
connections to create when additional connections are
necessary for Winsock applications (10 recommended) 10
MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog
for Winsock applications (recommended) Enabled
MSS: (AFD MaximumDynamicBacklog) Maximum number of
‘quasi-free’ connections for Winsock applications 20000
MSS: (AFD MinimumDynamicBacklog) Minimum number of
free connections for Winsock applications (20 recommended
for systems under attack, 10 otherwise) 20
MSS: (DisableIPSourceRounting) IP source routing protection
level (protects against packet spoofing) Highest Protection,
source routing is automatically disabled
MSS: (EnableDeadGWDetect) Allow aoutmatic detection of
dead network gateways (could lead to DoS)Disabled
MSS: (EnableICMPReddirect) Allow ICMP redirects to override
OSPF generated routes Disabled
MMS: (EnablePMTUDiscovery)Allow automatic detection of
MTU size (possible DoS by an attacker using a small MTU)
Enabled
MSS: (NoNameReleaseOnDemand) Allow the computer to
ignore NetBIOS name release requests except from WINS
servers Enabled
MSS: (PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)
Disabled
MSS: (SynAttackProtect) Syn attack protection level (protects
against Dos) Connections time out sooner if a SYN attack
is detected
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK
retransmissions when a connection request is not
acknowledged 3 & 6 seconds, half-open connections
dropped after 21 seconds
MSS: (TCPMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended, 5 is
default) 3
MSS: (TCPMaxPortsExhausted) How many dropped connect
requests to initiate SYN attack protection (5 is recommended)
5
MSS: Disable Autorun for all drives 255, disable autorun for
all drives
MSS: Enable Safe DLL serarh mode Enabled
MSS: Enable the computer to stop generating 8.3 style
filenames
Enabled
MSS: How often deep-alive packets are sent in milliseconds
300000
MSS: Percentage threshold for the security event log at which
the system will generate a warning <Not Defined>
MSS: The time in seconds before the screen saver grace
period exires 0

Additional Security Protection
o Available Services (Permissions on services listed here: Administrator: Full
Control; Interactive:Read
 Alerter Disabled
 Client Services for Netware Disabled
 Clipbook Disabled
 Fax Service Disabled
 File Replication Disabled
 File Services for Macintosh Disabled
 FTP Publishing Service Disabled
 Help and Support Disabled
 HTTP SSL Disabled
 IIS Admin Service Disabled
 Indexing Service Disabled
 License Logging Service Disabled
 Messenger Disabled
 Microsoft POP3 Service Disabled
 NetMeeting Remote Desktop Sharing Disabled
 Network Connections Manual
 Network News transport Protocol (NNTP) Disabled
 Print Server for Macintosh Disabled
 Print Spooler Disabled
 Remote Access Auto Connection Manager Disabled
 Remote Access Connection Manager Disabled
 Remote Administration Service Disabled
 Remote Desktop Help Session Manager Disabled
 Remote Installation Disabled
 Remote Procedure Call (RPC) Locator Disabled
 Remote Registry Service Disabled
 Remote Server Manager Disabled
 Remote Server Monitor Disabled
 Remote Storage Notification Disabled
 Remote Storage Server Disabled
 Simple Mail Transfer Protocol (SMTP) Disabled
 Simple Network Management Protocol (SNMP) Service Disabled
 Simple Network Management Protocol (SNMP) Trap Disabled
 Telephony Disabled
 Telnet Disabled
 Terminal Services Disabled
 Trivial FTP Daemon Disabled
 Volume Shadow Service Enabled
 Wireless Configuration Disabled
 Windows Media Server Disabled
 World Wide Web Publishing Services Disabled
 Data Execution Prevention Enabled
o
o
User Rights
 Access this computer from the network Administrators,
Authenticated Users.
 Act as part of the operating system: None
 Add workstations to domain: <Not Defined>
 Adjust memory quotas for a process NETWORK SERVICE,LOCAL
SERVICE, Administrators
 Allow log on locally Administrators
 Allow log on through terminal services Administrators
 Back up files and directories <Not Defined>
 Bypass traverse checking <Not Defined>
 Change the system time Administrators shop all of you stop all of
you the $1.00
 Create a pagefile Administrators
 Create a token object <None>
 Create Global Objects<Not Defined>
 Create permanent shared objects <None>
 Debug Programs <None>
 Deny access to this computer from the network (minimum)
ANONOYMOUS LOGIN,
 Guests
 Deny logon as batch job <Not Defined>
 Deny logon as a service <Not Defined>
 Deny logon locally <Not Defined>
 Deny logon as through Terminal Services (minimum) <Not Defined>
 Enable computer and user accounts to be trusted of delegation
<None>
 Force shutdown from a remote system Administrators
 Generate security audits Local Service, Network Service
 Impersonate a client after authentication Service
 Increase scheduling priority Administrators
 Load and unload device drivers Administrators
 Lock pages in memeory Administrators
 Log on as a batch job <None>
 Log on as a service <Not Defined>
 Manage auditing and security log Administrators
 Modify firmware environment values Administrators
 Perform volume maintenance tasks Administrators
 Profile single process Administrators
 Profile system performance Administrators
 Remove computer from docking station Administrators
 Replace a process level token NETWORK SERVICE, LOCAL
SEVICE
 Restore files and directories Administrators
 Shut down the system Administrators
 Synchronize directory service data <None>
 Take ownership of file or other objects Administrators
Other System Requirements
 Ensure volumes are using the NTFS file system All volumes
 Disable NetBIOS <Not Defined>
 Enable the Internet Connection Firewall <Not Defined>
 Restricted Groups Remote Desktop Users: <none>
 Antivirus software present <Not Defined>
o
File and Registry Permissions
 File Permissions *Unless stated otherwise, Administrators or System
Full Control is full control for the designated floder and all contents.
 %SystemDrive% Administrators: Full; Systerm:
Full;Creator Owner: Full; Interactive:Read, Execute
 %SystemRoot%\system32\ at.exe Administrators: Full;
System: Full
 %SystemRoot%\system32 \attrib.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ cacls.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ debug.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ drwatson.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ drwtsn32.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ edlin.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ eventcreate.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ eventtriggers.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ ftp.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ net.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ net1.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ netsh.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ rcp.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ reg.exe Administrators: Full;
System: Full
 %SystemRoot%\regedit.exe Administrators: Full; System:
Full
 %SystemRoot%\system32\ regedt32.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ regsvr32.exe Administrators:
Full; System: Full
 %SystemRoot%\system32\ rexec.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ rsh.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ runas.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ sc.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ subst.exe Administrators: Full;
System: Full
 %SystemRoot%\system32\ telnet.exe Administrators: Full;
System: Full; Interactive: Full
 %SystemRoot%\system32\ tftp.exe Administrators: Full;
System: Full; Interactive: Full

%SystemRoot%\system32\ tlntsvr.exe Administrators: Full;
System: Full

Registry Permissions * Unless stated otherwise, Administrators or
System Full Control is full control for the designated key and all
subkeys. Creator Owner Full Control is for subkeys only. Users
permissions are for current key, subkeys, and values.
 HKLM\Software Administrators: Full; System: Full; Creator
Owner: Full; Users, Read
 HKLM\Software\Microsoft\ Windows\ CurrentVersion\Installer
Administrators: Full; System: Full; Users: Read
 HKLM\Software\Microsoft\ Windows\CurrentVersion\Policies
Administrators: Full; System: Full; Authenticated Users:
Read
 HKLM\System Administrators: Full; System: Full; Creator
Owner: Full; Users, Read
 HKLM\System\ CurrentControlSet\Enum Administrators:
Full; System: Full; Authenticated Users: Read
 HKLM\System\
CurrentControlSet\Services\SNMP\Parameters\
PermittedManagers Administrators: Full; System: Full;
Creator Owner: Full
 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\
ValidCommunities Administrators: Full; System: Full;
Creator Owner: Full
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policie
s\Ratings Administrators: Full; users: Read
 HKLM\Software\Microsoft\ MSDTC <Not Defined>
 HKU\.Default\Software\Microsoft\ SystemCertificates\ Root\
ProtectedRoots Administrators: Full; System: Full; Network
Service: Query value, Set value, Create subkey,
Enumerate Subkeys, Notify, Read permissions;Users:
Read
 HKLM \SOFTWARE\ Microsoft\Windows
NT\CurrentVersion\SeCEdit Administrators: Full; System:
Full; Users: Read

File and Registry Auditing
 %SystemDrive% Everyone: Failures
 HKLM\Software Everyone: Failures
 HKLM\System < Everyone: Failures